pixcakeai
v1.0.3提供佳能 IXUS 130 CCD 经典效果的照片美化,支持智能提取并添加自定义底部水印,高质量输出。
⭐ 0· 106·0 current·0 all-time
by@x0cd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md, skill.yaml, and the included Node.js implementation all match: image in, CCD-style processing, optional bottom watermark out. The only dependency (sharp) is appropriate for image processing.
Instruction Scope
SKILL.md describes in-memory image processing and watermarking; the JS handler implements those steps and does not read other system files, fetch network resources, or ask for unrelated data. Input is validated for presence and watermark text is HTML-escaped before embedding in an SVG.
Install Mechanism
No explicit install spec (instruction-only), but package.json declares 'sharp' which is a native-imaging dependency that may pull platform-native binaries during install. This is expected for image processing but means native libs will be installed when the skill is deployed.
Credentials
The skill requests no environment variables, no credentials, and no config paths — consistent with a stateless image-processing utility.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or persistent system configuration. It processes images in memory and returns base64 output; no on-disk persistence is present in the code.
Assessment
This skill appears to do exactly what it says: apply CCD-style enhancements and optionally add a bottom watermark, all in-memory with no external network calls or credential use. Things to consider before installing: (1) It depends on the 'sharp' native package — deployment will install native binaries which can increase attack surface and require build toolchain on some hosts. (2) Large or specially crafted images could use substantial memory (potential DoS/resource exhaustion risk); consider size limits or request throttling. (3) The watermark text is HTML-escaped for &, <, >, and "; that mitigates common SVG injection but is a simple sanitizer — if you accept arbitrary untrusted input you may want stricter validation. (4) SKILL.md claims 'no data retention' and the code writes nothing to disk, but verify the hosting environment's logging/retention policies if privacy is a concern. Overall the package is internally coherent and there are no obvious indicators of malicious behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97afz2m0stt67kw430y8vm7a583gapd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.